Add notgithub service to simulate github token scanning

Author: ewjoachim

dev/environment

@@ -43,3 +43,5 @@ WAREHOUSE_LEGACY_DOMAIN=pypi.python.org
 
 VAULT_URL="http://vault:8200"
 VAULT_TOKEN="an insecure vault access token"
+
+GITHUB_TOKEN_SCANNING_META_API_URL="http://notgithub:8000/meta/public_keys/token_scanning"

docker-compose.yml

@@ -142,3 +142,10 @@ services:
       - "8125:8125/udp"
     volumes:
       - ./dev/notdatadog.py:/opt/warehouse/dev/notdatadog.py
+
+  notgithub:
+    image: ewjoachim/notgithub-token-scanning
+    environment:
+      NOTGITHUB_DEFAULT_URL: "http://web:8000/_/github/disclose-token"
+    ports:
+      - "8964:8000"

tests/unit/integration/github/test_utils.py

@@ -113,15 +113,21 @@ def test_init(self):
         metrics = pretend.stub()
         session = pretend.stub()
         token = "api_token"
+        url = "http://foo"
         cache = utils.PublicKeysCache(cache_time=12)
 
         verifier = utils.GitHubTokenScanningPayloadVerifier(
-            session=session, metrics=metrics, api_token=token, public_keys_cache=cache
+            api_url=url,
+            session=session,
+            metrics=metrics,
+            api_token=token,
+            public_keys_cache=cache,
         )
 
         assert verifier._session is session
         assert verifier._metrics is metrics
         assert verifier._api_token == token
+        assert verifier._api_url == url
         assert verifier._public_keys_cache is cache
 
     def test_verify_cache_miss(self):
@@ -147,6 +153,7 @@ def test_verify_cache_miss(self):
         metrics = pretend.stub(increment=pretend.call_recorder(lambda str: None))
         cache = utils.PublicKeysCache(cache_time=12)
         verifier = utils.GitHubTokenScanningPayloadVerifier(
+            api_url="http://foo",
             session=session,
             metrics=metrics,
             api_token="api-token",
@@ -188,6 +195,7 @@ def test_verify_cache_hit(self):
             }
         ]
         verifier = utils.GitHubTokenScanningPayloadVerifier(
+            api_url="http://foo",
             session=session,
             metrics=metrics,
             api_token="api-token",
@@ -218,6 +226,7 @@ def test_verify_error(self):
         metrics = pretend.stub(increment=pretend.call_recorder(lambda str: None))
         cache = utils.PublicKeysCache(cache_time=12)
         verifier = utils.GitHubTokenScanningPayloadVerifier(
+            api_url="http://foo",
             session=pretend.stub(),
             metrics=metrics,
             api_token="api-token",
@@ -236,6 +245,7 @@ def test_verify_error(self):
 
     def test_headers_auth_no_token(self):
         headers = utils.GitHubTokenScanningPayloadVerifier(
+            api_url="http://foo",
             session=pretend.stub(),
             metrics=pretend.stub(),
             api_token=None,
@@ -245,6 +255,7 @@ def test_headers_auth_no_token(self):
 
     def test_headers_auth_token(self):
         headers = utils.GitHubTokenScanningPayloadVerifier(
+            api_url="http://foo",
             session=pretend.stub(),
             metrics=pretend.stub(),
             api_token="api-token",
@@ -273,6 +284,7 @@ def test_retrieve_public_key_payload(self):
         metrics = pretend.stub(increment=pretend.call_recorder(lambda str: None))
 
         verifier = utils.GitHubTokenScanningPayloadVerifier(
+            api_url="http://foo",
             session=session,
             metrics=metrics,
             api_token="api-token",
@@ -281,7 +293,7 @@ def test_retrieve_public_key_payload(self):
         assert verifier._retrieve_public_key_payload() == meta_payload
         assert session.get.calls == [
             pretend.call(
-                "https://api.github.com/meta/public_keys/token_scanning",
+                "http://foo",
                 headers={"Authorization": "token api-token"},
             )
         ]
@@ -294,7 +306,10 @@ def test_get_cached_public_key_cache_hit(self):
         cache.set(now=time.time(), value=cache_value)
 
         verifier = utils.GitHubTokenScanningPayloadVerifier(
-            session=session, metrics=metrics, public_keys_cache=cache
+            api_url="http://foo",
+            session=session,
+            metrics=metrics,
+            public_keys_cache=cache,
         )
 
         assert verifier._get_cached_public_keys() is cache_value
@@ -305,7 +320,10 @@ def test_get_cached_public_key_cache_miss_no_cache(self):
         cache = utils.PublicKeysCache(cache_time=12)
 
         verifier = utils.GitHubTokenScanningPayloadVerifier(
-            session=session, metrics=metrics, public_keys_cache=cache
+            api_url="http://foo",
+            session=session,
+            metrics=metrics,
+            public_keys_cache=cache,
         )
 
         with pytest.raises(utils.CacheMiss):
@@ -321,7 +339,10 @@ def test_retrieve_public_key_payload_http_error(self):
             get=lambda *a, **k: response,
         )
         verifier = utils.GitHubTokenScanningPayloadVerifier(
-            session=session, metrics=pretend.stub(), public_keys_cache=pretend.stub()
+            api_url="http://foo",
+            session=session,
+            metrics=pretend.stub(),
+            public_keys_cache=pretend.stub(),
         )
         with pytest.raises(utils.GitHubPublicKeyMetaAPIError) as exc:
             verifier._retrieve_public_key_payload()
@@ -337,7 +358,10 @@ def test_retrieve_public_key_payload_json_error(self):
         )
         session = pretend.stub(get=lambda *a, **k: response)
         verifier = utils.GitHubTokenScanningPayloadVerifier(
-            session=session, metrics=pretend.stub(), public_keys_cache=pretend.stub()
+            api_url="http://foo",
+            session=session,
+            metrics=pretend.stub(),
+            public_keys_cache=pretend.stub(),
         )
         with pytest.raises(utils.GitHubPublicKeyMetaAPIError) as exc:
             verifier._retrieve_public_key_payload()
@@ -349,7 +373,10 @@ def test_retrieve_public_key_payload_connection_error(self):
         session = pretend.stub(get=pretend.raiser(requests.ConnectionError))
 
         verifier = utils.GitHubTokenScanningPayloadVerifier(
-            session=session, metrics=pretend.stub(), public_keys_cache=pretend.stub()
+            api_url="http://foo",
+            session=session,
+            metrics=pretend.stub(),
+            public_keys_cache=pretend.stub(),
         )
 
         with pytest.raises(utils.GitHubPublicKeyMetaAPIError) as exc:
@@ -374,7 +401,10 @@ def test_extract_public_keys(self):
         }
         cache = utils.PublicKeysCache(cache_time=12)
         verifier = utils.GitHubTokenScanningPayloadVerifier(
-            session=pretend.stub(), metrics=pretend.stub(), public_keys_cache=cache
+            api_url="http://foo",
+            session=pretend.stub(),
+            metrics=pretend.stub(),
+            public_keys_cache=cache,
         )
 
         keys = verifier._extract_public_keys(pubkey_api_data=meta_payload)
@@ -414,7 +444,10 @@ def test_extract_public_keys(self):
     def test_extract_public_keys_error(self, payload, expected):
         cache = utils.PublicKeysCache(cache_time=12)
         verifier = utils.GitHubTokenScanningPayloadVerifier(
-            session=pretend.stub(), metrics=pretend.stub(), public_keys_cache=cache
+            api_url="http://foo",
+            session=pretend.stub(),
+            metrics=pretend.stub(),
+            public_keys_cache=cache,
         )
 
         with pytest.raises(utils.GitHubPublicKeyMetaAPIError) as exc:
@@ -426,6 +459,7 @@ def test_extract_public_keys_error(self, payload, expected):
 
     def test_check_public_key(self):
         verifier = utils.GitHubTokenScanningPayloadVerifier(
+            api_url="http://foo",
             session=pretend.stub(),
             metrics=pretend.stub(),
             public_keys_cache=pretend.stub(),
@@ -439,6 +473,7 @@ def test_check_public_key(self):
 
     def test_check_public_key_error(self):
         verifier = utils.GitHubTokenScanningPayloadVerifier(
+            api_url="http://foo",
             session=pretend.stub(),
             metrics=pretend.stub(),
             public_keys_cache=pretend.stub(),
@@ -452,6 +487,7 @@ def test_check_public_key_error(self):
 
     def test_check_signature(self):
         verifier = utils.GitHubTokenScanningPayloadVerifier(
+            api_url="http://foo",
             session=pretend.stub(),
             metrics=pretend.stub(),
             public_keys_cache=pretend.stub(),
@@ -481,6 +517,7 @@ def test_check_signature(self):
 
     def test_check_signature_invalid_signature(self):
         verifier = utils.GitHubTokenScanningPayloadVerifier(
+            api_url="http://foo",
             session=pretend.stub(),
             metrics=pretend.stub(),
             public_keys_cache=pretend.stub(),
@@ -512,6 +549,7 @@ def test_check_signature_invalid_signature(self):
 
     def test_check_signature_invalid_crypto(self):
         verifier = utils.GitHubTokenScanningPayloadVerifier(
+            api_url="http://foo",
             session=pretend.stub(),
             metrics=pretend.stub(),
             public_keys_cache=pretend.stub(),

tests/unit/integration/github/test_views.py

@@ -29,7 +29,10 @@ def test_github_disclose_token(self, pyramid_request, monkeypatch):
 
         pyramid_request.body = "[1, 2, 3]"
         pyramid_request.json_body = [1, 2, 3]
-        pyramid_request.registry.settings = {"github.token": "token"}
+        pyramid_request.registry.settings = {
+            "github.token": "token",
+            "github.token_scanning_meta_api.url": "http://foo",
+        }
         pyramid_request.find_service = lambda *a, **k: metrics
 
         http = pyramid_request.http = pretend.stub()
@@ -46,7 +49,9 @@ def test_github_disclose_token(self, pyramid_request, monkeypatch):
 
         assert response.status_code == 204
         assert verifier_cls.calls == [
-            pretend.call(session=http, metrics=metrics, api_token="token")
+            pretend.call(
+                session=http, metrics=metrics, api_token="token", api_url="http://foo"
+            )
         ]
         assert verify.calls == [
             pretend.call(payload="[1, 2, 3]", key_id="foo", signature="bar")
@@ -70,7 +75,9 @@ def test_github_disclose_token_no_token(self, pyramid_request, monkeypatch):
 
         pyramid_request.body = "[1, 2, 3]"
         pyramid_request.json_body = [1, 2, 3]
-        pyramid_request.registry.settings = {}
+        pyramid_request.registry.settings = {
+            "github.token_scanning_meta_api.url": "http://foo"
+        }
         pyramid_request.find_service = lambda *a, **k: metrics
         pyramid_request.http = pretend.stub()
 
@@ -96,7 +103,10 @@ def test_github_disclose_token_verify_fail(self, monkeypatch, pyramid_request):
 
         pyramid_request.body = "[1, 2, 3]"
         pyramid_request.find_service = lambda *a, **k: metrics
-        pyramid_request.registry.settings = {"github.token": "token"}
+        pyramid_request.registry.settings = {
+            "github.token": "token",
+            "github.token_scanning_meta_api.url": "http://foo",
+        }
 
         pyramid_request.http = pretend.stub()
 
@@ -137,7 +147,12 @@ def find_service(self, *a, **k):
 
             response = pretend.stub(status_int=200)
             http = pretend.stub()
-            registry = pretend.stub(settings={"github.token": "token"})
+            registry = pretend.stub(
+                settings={
+                    "github.token": "token",
+                    "github.token_scanning_meta_api.url": "http://foo",
+                }
+            )
 
         request = Request()
         response = views.github_disclose_token(request)
@@ -160,7 +175,10 @@ def metrics_increment(key):
 
         pyramid_request.body = "{}"
         pyramid_request.json_body = {}
-        pyramid_request.registry.settings = {"github.token": "token"}
+        pyramid_request.registry.settings = {
+            "github.token": "token",
+            "github.token_scanning_meta_api.url": "http://foo",
+        }
         pyramid_request.find_service = lambda *a, **k: metrics_service
 
         pyramid_request.http = pretend.stub()

tests/unit/test_config.py

@@ -231,6 +231,9 @@ def __init__(self):
         "token.default.max_age": 21600,
         "warehouse.xmlrpc.client.ratelimit_string": "3600 per hour",
         "warehouse.xmlrpc.search.enabled": True,
+        "github.token_scanning_meta_api.url": (
+            "https://github.com/api/meta/public_keys/token_scanning"
+        ),
     }
     if environment == config.Environment.development:
         expected_settings.update(

warehouse/config.py

@@ -164,6 +164,12 @@ def configure(settings=None):
         settings, "warehouse.release_files_table", "WAREHOUSE_RELEASE_FILES_TABLE"
     )
     maybe_set(settings, "github.token", "GITHUB_TOKEN")
+    maybe_set(
+        settings,
+        "github.token_scanning_meta_api.url",
+        "GITHUB_TOKEN_SCANNING_META_API_URL",
+        default="https://github.com/api/meta/public_keys/token_scanning",
+    )
     maybe_set(settings, "warehouse.trending_table", "WAREHOUSE_TRENDING_TABLE")
     maybe_set(settings, "celery.broker_url", "BROKER_URL")
     maybe_set(settings, "celery.result_url", "REDIS_URL")

warehouse/integrations/github/utils.py

@@ -164,13 +164,15 @@ def __init__(
         *,
         session,
         metrics,
+        api_url: str,
         api_token: Optional[str] = None,
         public_keys_cache=PUBLIC_KEYS_CACHE,
     ):
         self._metrics = metrics
         self._session = session
         self._api_token = api_token
         self._public_keys_cache = public_keys_cache
+        self._api_url = api_url
 
     def verify(self, *, payload, key_id, signature):
 
@@ -217,15 +219,8 @@ def _headers_auth(self):
         return {"Authorization": f"token {self._api_token}"}
 
     def _retrieve_public_key_payload(self):
-
-        token_scanning_pubkey_api_url = (
-            "https://github.com/api/meta/public_keys/token_scanning"
-        )
-
         try:
-            response = self._session.get(
-                token_scanning_pubkey_api_url, headers=self._headers_auth()
-            )
+            response = self._session.get(self._api_url, headers=self._headers_auth())
             response.raise_for_status()
             return response.json()
         except requests.HTTPError as exc:

warehouse/integrations/github/views.py

@@ -47,6 +47,7 @@ def github_disclose_token(request):
     verifier = utils.GitHubTokenScanningPayloadVerifier(
         session=request.http,
         metrics=metrics,
+        api_url=request.registry.settings["github.token_scanning_meta_api.url"],
         api_token=request.registry.settings.get("github.token"),
     )